CVE-2026-49740
published 2026-06-09CVE-2026-49740: TYPO3's cache frontend (VariableFrontend) and persistent key-value store (Registry) deserialized PHP payloads without integrity validation or class…
PriorityP336medium6.3CVSS 4.0
AVLACLATNPRLUINVCNVILVANSCHSIHSAHEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.21%
11.9th percentile
TYPO3's cache frontend (VariableFrontend) and persistent key-value store (Registry) deserialized PHP payloads without integrity validation or class restrictions. An attacker with write access to the underlying storage backend (cache store or sys_registry database table) could inject a crafted serialized payload to trigger PHP Object Injection, potentially exploiting a gadget chain to achieve Remote Code Execution or other high-impact effects. Exploiting this vulnerability requires direct local write access to the storage, such as the SQL database or file system. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.51, 12.0.0-12.4.46, 13.0.0-13.4.31 and 14.0.0-14.3.3.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| typo3 | cms-core | >= 0 < 10.4.57 | 10.4.57 |
| typo3 | cms-core | >= 11.0.0 < 11.5.51 | 11.5.51 |
| typo3 | cms-core | >= 12.0.0 < 12.4.46 | 12.4.46 |
| typo3 | cms-core | >= 13.0.0 < 13.4.31 | 13.4.31 |
| typo3 | cms-core | >= 14.0.0 < 14.3.3 | 14.3.3 |
| typo3 | typo3_cms | < 10.4.57 | 10.4.57 |
| typo3 | typo3_cms | >= 11.0.0 < 11.5.51 | 11.5.51 |
| typo3 | typo3_cms | >= 12.0.0 < 12.4.46 | 12.4.46 |
| typo3 | typo3_cms | >= 13.0.0 < 13.4.31 | 13.4.31 |
| typo3 | typo3_cms | >= 14.0.0 < 14.3.3 | 14.3.3 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-09
Published